© 2020 - ntop

Security-Centric Traffic Analysis

Luca Deri <deri@ntop.org>@lucaderi

© 2020 - ntop

Part I: Introduction

2

© 2020 - ntop

Why Is Security-Centric Traffic Analysis Important?

• Constant increase of cyber-attacks required NTAs to focus on security aspects in addition to traditional monitoring (i.e. latency monitoring, service availability, …).

• In particular new challenges include:◦Encrypted traffic analysis.◦Detection of vulnerable protocols and ciphers.◦Complete visibility including IoT devices (e.g. badge readers) that can create serious issues.◦Realtime identification of threats and suspicious events.

3

© 2020 - ntop

Cybersecurity Taxonomy

4

Picture courtesy of switch.ch

© 2020 - ntop

Cybersecurity Monitoring: Requirements

• Distributed monitoring platform◦Network edge traffic monitoring + centralised analysis

• Deep network traffic dissection to also inspect encrypted traffic (more and more popular).

• Interpret traffic monitoring data to create alarms from raw signals and trigger actionable insights (e.g. mitigate the problem identified).

• Export monitoring information in an open format towards multiple consumers/subscribers.

5

© 2020 - ntop

Typical Deployment: Traffic Processing [1/2]

6

nProbe

nProbe nProbe

nProbe

nProbe

ntopng

Encrypted Communication (Flows)

NetFlow/IPFIX/sFlow (Insecure communication)

Packet Capture

Flow-centric Trafficand Security Analysis

Intra-Flow/Network Trafficand Security Correlation(This is the big picture)

© 2020 - ntop

Typical Deployment: Traffic Processing [2/2]

• nDPI is an open source DPI toolkit on top of which nProbe computes flows statistics. It:◦Decodes the initial flow packets detecting the application protocol (e.g. Google Maps).◦Analyses encrypted traffic to detect issues hidden but un-inspectable payload content.◦Extracts metadata from selected protocols (e.g. DNS, HTTP, TLS..) and matches it against known algorithms for detecting selected threats (e.g. DGA hosts, Domain Generated Algorithm).

7

nProbe

Flow Processing

nDPI

Packet Capture

© 2020 - ntop

nDPI: Identified Flow Risks

• HTTP suspicious user-agent• HTTP numeric IP host contacted• HTTP suspicious URL• HTTP suspicious protocol header• TLS connections not carrying HTTPS (e.g. a VPN over TLS)• Suspicious DGA domain contacted• Malformed packet• SSH/SMB obsolete protocol/application version• TLS suspicious ESNI usage• Unsafe Protocol used

8

• XSS (Cross Site Scripting)• SQL Injection• Arbitrary Code Injection/Execution• Binary/.exe application transfer (e.g. in HTTP)• Known protocol on non standard port• TLS self-signed certificate• TLS obsolete version• TLS weak cipher• TLS certificate expired• TLS certificate mismatch

© 2020 - ntop

ntopng Traffic Consolidation [1/2]

• While nProbe is a flow-oriented probe that monitors traffic at the edge, ntopng is a data collector that correlates signals coming from distributed probe and:◦ Intra-flow correlation at host, AS, Network Interface level to spot higher-level threats.◦Ability to trigger alerts based on user-defined scripts that are executed on collected data after consolidation.◦Actionable insights to react to detected issues.◦Web-based report and export to external systems.

9

© 2020 - ntop

ntopng Traffic Consolidation [2/2]

10

ntopng

Ingress/Egress data

Ingress (Security Events)

Egress (Alerts/Long-Term Data Storage

nIndex/n2disk

SNMP

)

© 2020 - ntop

Part II: Use Cases

11

© 2020 - ntop

ETA (Encrypted Traffic Analysis)

12

© 2020 - ntop

Threat Detection via User Scripts

13

© 2020 - ntop

Searching Mice in Noise Traffic

Low-bandwidth periodic connections might hide misuse (e.g. periodic tasks), botnet command-and-control communications, unauthorised monitoring.

14

© 2020 - ntop

Industrial IoT/Scada Monitoring [1/2]

• nDPI supports some popular IoT/Scada protocols including modbus, DNP3 and IEC 60870.

• IEC 60870 is very important as it can be used to detect issues such as◦Unknown telemetry addresses◦Connection loss and restore◦Loss of data coming from remote systems

• ntopng features permanent IEC 60870 monitoring to detect industrial anomalies in addition to traditional traffic monitoring.

15

© 2020 - ntop

Industrial IoT/Scada Monitoring [2/2]

16

© 2020 - ntop

Actionable Insights: Attack Mitigation via SNMP [1/2]

• Score is a metric used to detect issues on entities such as hosts, AS, networks.

• SNMP can be used to poll but also to modify devices configuration

17

© 2020 - ntop

Actionable Insights: Attack Mitigation via SNMP [2/2]

18

© 2020 - ntop 19

https://github.com/ntop/